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Audit and Risk Committee terms of reference 


$; Purpose 


1.1. The Audit and Risk Committee supports the Management Board in 
its role in respect of the effectiveness of the ICO’s risk 
management system and procedures and its internal controls; by 
reviewing the comprehensiveness and reliability of assurances on 
governance, risk management, the control environment and the 
integrity of financial statements and the annual report. It should 
lead the assessment of the annual governance statement for the 
Board. 


1.2. The Committee will have particular engagement with the work of 
internal audit, risk management, the external auditor and financial 
management and reporting issues. 


1.3. In relation to risk management, the Audit and Risk Committee is 
part of the third line of defence in the ICO’s risk management 
framework. 


1.4. The Committee does not have any executive responsibilities. 
2. Responsibilities 


2.1. The Committee should ensure that arrangements are in place to 
enable it to discharge its responsibilities effectively, including: 


e formal procedures for the appointment of new Committee 
members; 


e allowing sufficient time for the Committee to discharge its 
collective responsibilities effectively; an 


e induction for new members on joining the Committee; 


2.2. The Committee should agree and document an appropriate system 
to record and manage conflicts and potential conflicts of interest of 
Committee members. 


2.3. After each meeting of the Committee a report should be prepared 
for the Board summarising the business undertaken by the 
Committee and offering the views of and advice from the 
Committee on issues which they consider the Board should take 
action. This can be by way of the minutes. 


The Committee should provide an Annual report timed to support 
the preparation of the governance statement. The report needs to 
be open and honest in presenting the Committee’s views. It should 
summarise the Committee’s work for the year past and present the 


cme 


4.1. 


4.2. 


Committee's opinion on: 
a the effectiveness of governance, risk management and control 


e the comprehensiveness of assurances in meeting the Board 
and accounting officer needs 


° the reliability and integrity of these assurances 


e whether the assurance available is sufficient to support the 
Board and accounting office in their decision taking and 
accountability obligations 


e the implications of these assurances for the overall 
management of risk 


e any issues the Committee considers pertinent to the 
governance statement and any long term issues the 
Committee thinks the Board and accounting officer should 
give attention to 


e financial reporting for the year 


e the quality of both internal and external audit and their 
approach and responsibilities; and 


e the Committee's views of its own effectiveness, including 
advice on ways in which it considers it needs to be 
strengthened or developed. 


Authority 

The Committee’s authority derives from the Board. 
Composition 

The Committee consists of: 

e The chair (a Non-executive Director) 

e A Non-executive Director member 

e An independent member 


Members should have relevant experience and skills and at least 
one or more of the members should have recent and relevant 
financial experience. 


4.3. 


4.4, 


4.5. 


4.6. 


Senior managers with financial responsibility should routinely 
attend the Committee meetings, along with the Head of internal 
audit and a representative of the external auditors. 


The Information Commissioner is invited to attend all meetings of 
the Committee and may attend if they wish. The Commissioner is 
required to attend the meeting at which the Committee reviews 
the ICO’s annual report and financial statements with a view to 
recommending this to the Commissioner to sign off, as the 
Accounting Officer (usually in June each year). The Chair may also 
ask the Commissioner to attend any specific meeting. 


The Committee may ask any other officials of the ICO to attend to 
assist it with its discussions on any particular matter. 


The Committee may ask any or all of those who normally attend 
but who are not members to withdraw to facilitate open and frank 
discussion of particular matters. 


Quorum 


The Committee is quorate with the following members present: 


° At least two members of the Committee. 
Information requirements 


The Committee should ensure that arrangements are in place to 
enable it to discharge its responsibilities effectively, including the 
timely provision of information in an appropriate form and quality. 
This should include: 


e a report summarising any significant changes to the 
organisation’s strategic risks and a copy of the 
strategic/corporate risk register 


e progress report from the Head of Internal Audit summarising: 
o work performed (and a comparison with work planned) 
O key issues emerging from the work of internal audit 
o management response to audit recommendations 
o changes to the agreed internal audit plan; and 


o any resourcing issues affecting the delivery of the 
objectives of internal audit. 


° a progress report from the External Audit representative 
summarising work done and emerging findings (this may 


6.2. 


include, where relevant to the organisation, aspects of the 
wider work carried out by the NAO, for example, Value for 
Money reports and good practice findings) 


e | management assurance reports; and 


ə reports on the management of major incidents, “near misses” 
and lessons learned. 


As and when appropriate the Committee will also be provided with: 
ə the internal audit strategy 

e the Head of Internal Audit’s Annual Opinion and Report 

ə quality Assurance reports on the internal audit function 

ə the draft accounts of the organisation 

e the draft Governance Statement 

e a report on any changes to accounting policies 

e external Audit’s management letter 

2 a report on any proposals to tender for audit functions 


e a report on co-operation between internal and external audit; 
and 


° the organisation’s Risk Management strategy 
Access to the Chair of the Committee 


The Head of Internal Audit and the representative of the external 
auditors have free and confidential access to the Chair of the Audit 
and Risk Committee. 


Budget 


The Audit and Risk Committee is not responsible for a specific 
budget. 


Secretariat 

Secretariat is provided by the Corporate Governance Team. 
Frequency of meetings 

The Committee should meet at least quarterly. 


Evaluation 


11.1. The Committee should ensure that arrangements are in place to 
enable it to discharge its responsibilities effectively, including a 
formal annual evaluation of the Committee’s performance. 


